[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Thu, 18 May 2017 16:47:13 -0700 

Hi Jesus,

I'm having the same problem, and the triggering of this rule causes so much 
noise that it's drowning out other alerts. I have added a rule like you 
suggested to my local rules:

  <rule id="100510" level="0" frequency="0" timeframe="45" ignore="600">
    <if_matched_sid>510</if_matched_sid>
    <regex>/var/lib/docker/volumes/\.*/_data/\.* is owned by root and has 
written permissions to anyone</regex>
    <description>Ignore rootcheck warning on world-writable docker 
volumes</description>
  </rule>

But it doesn't seem to have an effect. I've played with the regex, 
simplifying it and even deleting it altogether, but I still can't seem to 
get it working. Logtest shows the following output:


File 
'/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot'
 
is owned by root and has written permissions to anyone.


**Phase 1: Completed pre-decoding.

       full event: 'File '/var/lib/docker/volumes/
81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/
to/static/fonts/icons/glyphicons-social-regular.eot' is owned by root and 
has written permissions to anyone.'

       hostname: 'ec2-12-34-56-78'

       program_name: '(null)'

       log: 'File '/var/lib/docker/volumes/
81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/
to/static/fonts/icons/glyphicons-social-regular.eot' is owned by root and 
has written permissions to anyone.'



**Phase 2: Completed decoding.

       No decoder matched.


I'm fairly new to OSSEC and Wazuh, so I may be missing something. Is there 
anything obvious that I'm doing wrong?

Cheers!
Gert



On Wednesday, April 19, 2017 at 12:14:28 AM UTC+12, Jesus Linares wrote:
>
> Hi Rob,
>
> you need to add the conditions to trigger that rule only for your specific 
> files. Use match or regex:
>
> <rule id="70908" level="0" frequency="0" timeframe="45" ignore="600">
>     <if_matched_sid>510</if_matched_sid>
>     <!--
>     contitions:
>     option 1:
>     <match>YOUR_FILE1|YOUR_FILE2|...</match>
>     option 2:
>     <regex>YOUR_FILE\.+</regex>
>     -->
>     <description>Ignore rule 510 for 600 seconds for some files.
> </description>
> </rule> 
>

 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to